Re: BIND9 negative cache after timeout.

This is a discussion on Re: BIND9 negative cache after timeout. within the Bind Users forums, part of the DNS and Related Forums category; > I won't give an answer there because I have another related question: > > Yes sometimes my DNS ...


Go Back   Usenet Forums > DNS and Related Forums > Bind Users

Reload this Page Re: BIND9 negative cache after timeout.

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 07-03-2003
Mark_Andrews@isc.org
 
Posts: n/a
Default Re: BIND9 negative cache after timeout.

> I won't give an answer there because I have another related question:
>
> Yes sometimes my DNS server receives queries for a A record which I am not
> authoritative for... So as the query is recursive (and I allow recursion)
> I'm eventually talking to the authoritative server for that domain name...
> But that server times out...
>
> The question is: will my DNS server 'negatively cache' this hostname ? or
> will it try to do the recursive job all over again ?
>
> If the last assumptions is the right one then this can be an easy way to do
> Denial-of-service:
>
> as a hac|<er:
> * you register bad-domain.com and delegate it to a server and
> * you make sure any query times out...
> * you flood the victim with such recursive queries...
> * As it takes quite a while to resolve, you will easily and rapidly fill up
> the "recursive client" quota... and here we go !

And it is also a easy one to prevent. Don't have a wide
open caching server. Apply anti-spoofing filters at the
IP level.

Given the failure modes of nameservers you can't just say
because a nameserver failed to repond to a particular query
that it will also fail to respond to another query. There
are an effectively infinite number of ways to generate new
queries that would defeat any negative cache you might have.

I'm pretty sure I could find enough addresses alone that
won't respond to DNS queries to generate 1000 q/s to new
nameservers with unique IP addresses and not have to reuse
a address for weeks.

Mark

> any comment?
> c|sc0
>
> "new_new" <new_new@voila.fr> a écrit dans le message de
> news:bdi0aj$vr$1@sf1.isc.org...
> > Hello,
> >
> > I run a bind9 with solaris and I want to add a negative caching.
> >
> > When a server on the internet is out of order, the time out for the
> > responses is
> > always reach and in this case my own server is infected with is
> > requests pile.
> >
> > So, i'm looking for a parameter in bind which allow me to hide this
> > kind of "no-response after timeout".
> >
> > Thanks for your help.
> >
>
>
>
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org

Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 01:36 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0